Transport Rules Rule

First there was AUTODIN and ARPANet. Then there was the "@" sign. Today there are Exchange 2007's Hub Transport servers. One of the exciting changes to Exchange 2007 is that all mail now goes through the Hub Transport server role, and when we say all mail, we mean every single message.

If you send an e-mail over the Internet -- even with an Edge Transport server in place -- it will go through the Hub first. Send an e-mail message to another user within your organization and it will go through the Hub first. Send an e-mail message to another user on the same mailbox server and it will still go through the Hub before being returned to that same server.

The benefit of having one server role handling all mail from both internal and external locations is that you can enforce rules to apply your policies while the mail is in transit. Let's look at how these rules work and how you can create them. Then we'll look into the practical uses of transport rules so you can visualize how they will work in your environment.

Follow the Rules
If you've ever created rules for Outlook to handle your inbound e-mail, the concept is similar. The transport rules will affect your entire organization, though, as opposed to a single mailbox.

The actual process of creating a transport rule will seem familiar if you've used the Outlook Rules Wizard. You have conditions to make the rule go into effect, the actions that should be taken if any conditions are met and any exceptions that might disqualify a rule from being applied. Creating a rule doesn't mean it's automatically enabled, by the way. You can disable a rule so it's only applied when you turn it on.

There's a Transport Rules Agent for the Hub Transport server, and an Edge Rules Agent for the Edge Transport server. Both are similar in concept, but differ in how you use them. If you aren't using an Edge Transport server, you apply all your rules on the Hub Transport server. If you're using an Edge Transport server, though, then you should ensure that you apply only certain rules to the Edge as well.

For example, if there's a virus circulating that has a specific file extension, you can tell your Edge servers to drop any messages with that extension. If you think it may have already gotten into your network, make sure your Hub servers know to drop those messages as well.

Keep in mind that rules you create for the Hub Transport servers are established at the organizational level -- they will apply throughout your organization. Those created on an Edge Transport server will only apply on that server. Rules aren't shared, so you'll have to individually establish them on your Edge servers.

Anything's Possible
There are simply too many possible combinations of conditions, actions and exceptions to review them all. As you'll see in the following scenario, the possibilities are endless.

Imagine there's an "ethical wall" that prohibits one group within your organization from communicating with another. This is a common scenario where different departments must operate independently of each other due to the possibility of inappropriately sharing private or sensitive information -- much like billing or patient care in a health care situation.

Rather than leaving it to your employees to act appropriately and not share information, you create a transport rule. This rule will ensure that all e-mails going from the ReallySecret distribution group to the NotSupposedToKnow group are redirected to the LegalDept, with one exception: Messages will pass through if the message is from Project Manager Rick Sanford.

Let's walk through this type of rule. From the Exchange Management Console, you want to expand the Organization Configuration. Select the Hub Transport node and then the Transport Rules tab. Understanding where you're creating these rules should help you visualize that they're going to be applied organization-wide. If your Actions pane is available, you can see the New Transport Rule link (see Figure 1).

[Click on image for larger view.]

Figure 2.The Introduction pane lets you provide a name and comment. You can also choose to enable or disable the rule upon creation.

Start the New Transport Rule wizard and you'll see the Introduction pane (see Figure 2) that asks for the name of the rule and a comment. Here you can explain the full purpose of the rule you're creating. You can also select a checkbox to enable the rule once the wizard is complete -- this is selected by default, but you might want to uncheck it if the rule won't be ready to use yet. When you're finished, click Next.

The Conditions pane (see Figure 3) lets you select a condition and apply additional values. First select the "between members of distribution list and distribution list" option, and define them as the ReallySecret and NotSupposedToKnow distribution lists. Then click Next.

Within the Actions pane (see Figure 4) you can determine several different actions that will help you prevent one group from receiving the message while the legal department receives a copy. In this case, use the "redirect the message to addresses" option and add LegalDept as a value. This will send the message to legal without delivering it to the original recipient -- the NotSupposedToKnow group. No notification is sent to the recipients or the sender. Then click Next.

[Click on image for larger view.]

Figure 4.The Actions pane lets you determine what should happen to messages that meet your established conditions. You can also select multiple actions.

The Exceptions pane (see Figure 5) lets you supply any exceptions to the rule, as any rule usually has at least one exception. In this case, we're going to select "except when the message is from people" and establish Rick Sanford as the value. Then select Next. Exchange will give you a complete configuration summary before creating the rule. You can hit the Back key to make changes. Once you're satisfied with the rule and its parameters, select New. Exchange will create the rule and show you a Completion pane.

[Click on image for larger view.]

Figure 5.The Exceptions pane lets you establish situations where the rule shouldn't be applied even if it meets the conditions.

Additionally, this Completion pane will show you the PowerShell commands you could have used to create the rule, although using the wizard is much easier. Select Finish and now you'll have the rule in your Transport Rules tab. You can select the rule or right-click on it to disable, remove or edit it.

Practical Transport Rules
Being able to apply policies to mail in transit is an amazing feature, and easy to short-change in terms of its importance. Microsoft provides the following usage to consider:

Apply disclaimers to messages as they pass through the organization or pass onto the Internet.

Track or archive messages that are sent to or received from specific individuals.

Redirect inbound and outbound messages for inspection before delivery.

An accounting firm in Manhattan wanted to append a disclaimer to all messages going to outside clients, but not to internal e-mails. This was easy to do using the condition "sent to users inside or outside the organization" and then determining the value to be outside. The action was "append disclaimer text using font, size and color, with separator and fallback to wrap if unable to apply."

This may sound cryptic, but actually it lets you determine all sorts of values like prepend or append -- putting the message at the beginning or end of each e-mail sent outside -- and then add the disclaimer text itself so it's correct every time. You can also indicate the exact font, size, text color and so on. It's an impressive rule that actually allows for quite a bit of configuration.

Another perfect use for rules is in conjunction with message classifications. You can apply a classification using Exchange's built-in defaults such as ACPrivileged for attorney-client privileges, or you can create your own classifications. Within those conditions, you can choose the "marked with classification" option and set the value to be the classification for which you're watching.

In some cases, you may need to make a copy for another department (like the legal department) through the Actions pane. You might also try educating your users with a "send bounce message to sender with enhanced status code." This will send a non-delivery receipt to the sender that you can configure personally. The default message is "Delivery not authorized, message refused," with an error code of 5.7.1. You can change that message to explain more forcefully or completely why the message was refused, as long as you keep the message to 128 characters.

You can apply an endless variety of rules to your Exchange e-mail. Prevent the sending of messages over a certain size, stop a new virus based upon message characteristics you've specified, or simply watch for suspicious behavior from a particular employee or group by supervising any messages they send -- all through transport rules.

The Rules Have It
The hows and whys of transport rules should be quite clear at this point, but you might have some questions regarding the number of rules you can have and how they affect the overall performance of the Hub Transport server. Logically, if the server has to look at each message and see if it meets certain conditions or exceptions and then apply actions, then that has to interfere with performance. The more messages that travel through those servers and the more rules they have, the more work the servers must perform.

On his blog, Exchange expert Jim McBee tells us we can have a maximum of 1,000 rules. He confirms that the Hub Transport server handles each message that comes through for all messages in RAM. He writes: "The more rules and the more messages that pass through the Hub Transport server role, the more RAM you should have and the beefier the Hub Transport servers should be."

You can use rules sparingly but effectively within your organization. You have the power to enforce a greater level of security, privacy and protection within your environment thanks to this new server role and the way all mail travels through it. Applying messaging policy in transit is truly something else.